The Hacker News — Cyber Security, Hacking, Technology News

Almost half a million people in the United States are highly recommended to get their pacemakers updated, as they are vulnerable to hacking.

The Food and Drug Administration (FDA) has recalled 465,000 pacemakers after discovering security flaws that could allow hackers to reprogram the devices to run the batteries down or even modify the patient's heartbeat, potentially putting half a million patients lives at risk.

A pacemaker is a small electrical battery-operated device that's surgically implanted in the chest of patients to help control their heartbeats. The device uses low-energy electrical pulses to stimulate the heart to beat at a normal rate.

Six types of pacemakers, all manufactured by health-tech firm Abbott (formerly of St. Jude Medical) are affected by the recall, which includes the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.

All the affected models are radio-frequency enabled cardiac devices—typically fitted to patients with irregular heartbeats and patients recovering from heart failure—and were manufactured before August 28th.

In May, researchers from security firm White Scope also analysed seven pacemaker products from four different vendors and discovered that pacemaker programmers could intercept the device using "commercially available" equipment that cost between $15 to $3,000.

"Many medical devices—including St. Jude Medical's implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits," the FDA said in a security advisory.

"As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates."

To protect against these critical vulnerabilities, the pacemakers must be given a firmware update. The good news is that those affected by the recall do not require to have their pacemakers removed and replaced.

Instead, patients with these implanted, vulnerable device must visit their healthcare provider to receive a firmware update—something that would take just 3 minutes or so to complete—that can fix the vulnerabilities.

As a result of the firmware update, any external device trying to communicate with the pacemaker will require authorization.

Moreover, the software update also introduces data encryption, operating system fixes, the ability to disable network connectivity features, according to Abbott's press release published on Tuesday, August 29.

Any pacemaker device manufactured beginning August 28, 2017, will have the firmware update pre-installed and will not need the update.

The FDA recall of devices does not apply to implantable cardiac defibrillators (ICDs) and cardiac resynchronization ICDs.

Abbott is working with the FDA, the U.S. Department of Homeland Security (DHS), global regulators, and leading independent security experts, in efforts to "strengthen protections against unauthorized access to its devices."

Although there are no reports of compromised pacemakers yet, the threat is enough to potentially harm heart patients with an implanted pacemaker that could even put their lives at great risk.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign spotted by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were "extremely vague," with subjects lines such as "please print," "documents," "images," "photos," "pictures," and "scans" in an attempt to convince victims into infecting themselves with Locky ransomware.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means "locked" in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim's desktop that instructs the victim to download and install Tor browser and visit the attacker's site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a "Locky decryptor" in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had "quarantined more than 5.6 million" messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

In separate research, security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of "zombie computers" to conduct coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations' infrastructures."

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

This massive Locky ransomware campaign targets "tens of thousands" of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here's How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

3. Keystone — a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.

4. BadMFS — a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.

5. Windows Transitory File system — a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation.

The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed ExpressLane, which detailed about the spying software that the CIA agents used to spy on their intelligence partners around the world, including FBI, DHS and the NSA.

Since March, WikiLeaks has published 22 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.

Dumbo — A CIA project that disclosed its ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.

Imperial — A CIA project that revealed details of 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux OS.

UCL/Raytheon — An alleged CIA contractor that analysed in-the-wild advanced malware and submitted at least five reports to the agency for help it develops its malware.

Highrise — An alleged CIA project that allowed the US agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.

BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the spy agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.

Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.

The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.

The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.

Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement.

"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."

Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend Justin Bieber's nude photographs.

Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.

However, Instagram did not mention if the recent data breach was related to Selena's hacked account.

With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.

The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.

Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

There is no indication of WikiLeaks servers and website been compromised, instead it seems their website has been redirected to a hacker-controlled server using DNS poisoning attack.

In DNS poisoning attack, also known as DNS spoofing, an attacker gets control of the DNS server and changes a value of name-servers in order to divert Internet traffic to a malicious IP address.

Shortly after the defacement, the site administrators regained access to their DNS server and at the time of writing, the WikiLeaks website is back online from its official legitimate servers.

OurMine is a Saudi Arabian group of hackers which claims to be a "white hat" security firm.

The group markets itself by taking over social media accounts of high-profile targets and then encourages them to contact the hacking group to buy its IT security service in an effort to protect themselves from future cyber attacks.